The Sarahah app basically exploded in a matter of weeks. With more than 18 million downloads around the world, its users seem to be enjoying sharing ‘anonymous feedback’, but beyond the supposed entertainment, the software has its dark side.
Security researcher Zachary Julian discovered that Sarahah uploads all the phones’ contacts and email addresses to the Web. Its behavior was verified in iOS and Android, but the app creator reported that the extraction is associated with an abandoned function, which was never completely disabled.
In recent days I have seen several of my contacts post screenshots with the “criticism” they receive through the Sarahah application. In addition to not being very impressed (the app has multiple problems of performance and stability), everything I read so far suggests that courtesy is actually an exercise in hypocrisy.
However, there is another aspect even more serious in this software and is that it loves to collect private information of the user. When an app gains popularity, different security experts decide to analyze their behavior, and what discovered the researcher Zachary Julian is not very nice to say.
Under newer versions of Android and later builds of iOS, the app requests permission to “access contacts”, but in most cases, loading is done without warning. As if that were not enough, Julian discovered that if the user does not open the app for a while (less than 48 hours), Sarahah sends the contacts again.
The specialized press tried to talk to Sarahah officials, and after a brief silence, its creator Zain al-Abidin Tawfiq communicated via Twitter that the reading of contacts will be eliminated in a future build, and that had been thought for the introduction of a function that would allow you to “find your friends”.
Apparently, this function suffered “multiple technical problems”, and the partner responsible for removing it from the app (which incidentally no longer works in Sarahah) never did. At the same time, the function was purged on the server, and its databases do not save any contacts.
Of course, this statement is impossible to verify without a complete opening of the Sarahah code and the corresponding audit. Anyone who decides to continue using Sarahah after such a discovery should leave the mobile app and log in with their website.
So, if you liked this article then simply do not forget to share this article with your friends and family.